Remove From My Forums

DirectAccess for 1 single FQDN

Question
0

Sign in to vote

Hello,

I don't know of it's possible withing the utilisation of DirectAccess. But hereby my question:

Is it possible to configure DirectAccess in such a way, that for 1 particular FDQN it uses the tunnel, while all others are connected directly.

In fact the oposite of what's done with NLS.

Any ideas?

Daniel

Monday, September 29, 2014 6:23 AM

Answers

0

Sign in to vote
AFAIK, there is NO option in 2012 DA to tell that you are explicitly adding a FQDN and NOT a DNS Suffix.

Instead, you can add the entry (in my case site1.contoso.com) in URA console , apply the configuration and edit the GPOs created by 2012 DA. (Good thing unlike UAG, 2012 DA URA doesn't overwrite the GPO during the next activation and adds ONLY the new changes, so your patch will be persistent)

You can follow the below steps, if you chose to do so.

Open up the correspoding GPO for DA clients, the default name should be "DirectAccess Client Settings" unless you have changed when setting up DA.
Right click edit and navigate it to Computer Configuration\Policies\Windows Settings\Name Resolution Policy\
Look for the table with title "Name Resolution Policy Table" and pick up the entry (site1.contoso.com)
And choose the option "FQDN"
To verify this, you can update GPO in any client machine and run the command "Netsh name show policy"

Let me know, how it goes!
- Edited by Vasu Deva Wednesday, October 1, 2014 2:55 PM
- Proposed as answer by Vasu Deva Thursday, October 2, 2014 10:04 AM
- Marked as answer by Daniel Paessens Monday, October 20, 2014 12:45 PM
Wednesday, October 1, 2014 2:53 PM

All replies

0

Sign in to vote
Hello Daniel,

If I understand you correctly, JUST for Site1.contoso.com you need the traffic to flow through DA Tunnel?

It can be done, you can add the FQDN to the NRPT in UAG or 2012 DA Server and point it to DA Server's DNS64 address.

Also make sure you have a proper route to Site1.contoso.com from your internal adapter of DA Server.

HTH,

Vasu Deva
- Proposed as answer by Vasu Deva Monday, September 29, 2014 12:57 PM
Monday, September 29, 2014 12:49 PM
0

Sign in to vote

also make sure, your Internal DNS Can resolve the above said FQDN.

Monday, September 29, 2014 12:56 PM
0

Sign in to vote

That's the problem. When you fill in the FQDN name (for example test.domain.com). Then in the namespace policy is it stated as .test.domain.com.

With other words it consider the dns name .test.domain.com instead of the host test.domain.com.

Daniel

Monday, September 29, 2014 2:14 PM
0

Sign in to vote
Well, It all depends on the option you chose when you try to add the entry in NRPT.

In this case, you can use the below option and try and let me know, how it goes.
- Edited by Vasu Deva Tuesday, September 30, 2014 7:15 AM
Tuesday, September 30, 2014 7:12 AM
0

Sign in to vote

I know this option in UAG, but in Windows 2012R2 do you not have this option.

Daniel

Tuesday, September 30, 2014 7:18 AM
0

Sign in to vote
AFAIK, there is NO option in 2012 DA to tell that you are explicitly adding a FQDN and NOT a DNS Suffix.

Instead, you can add the entry (in my case site1.contoso.com) in URA console , apply the configuration and edit the GPOs created by 2012 DA. (Good thing unlike UAG, 2012 DA URA doesn't overwrite the GPO during the next activation and adds ONLY the new changes, so your patch will be persistent)

You can follow the below steps, if you chose to do so.

Open up the correspoding GPO for DA clients, the default name should be "DirectAccess Client Settings" unless you have changed when setting up DA.
Right click edit and navigate it to Computer Configuration\Policies\Windows Settings\Name Resolution Policy\
Look for the table with title "Name Resolution Policy Table" and pick up the entry (site1.contoso.com)
And choose the option "FQDN"
To verify this, you can update GPO in any client machine and run the command "Netsh name show policy"

Let me know, how it goes!
- Edited by Vasu Deva Wednesday, October 1, 2014 2:55 PM
- Proposed as answer by Vasu Deva Thursday, October 2, 2014 10:04 AM
- Marked as answer by Daniel Paessens Monday, October 20, 2014 12:45 PM
Wednesday, October 1, 2014 2:53 PM
0

Sign in to vote

Hi There - actually using powershell on the DA Server you can add a FQDN and force it through the DA Tunnel and also specify a proxy server if required. This has been done on quite a few sites where for example misco.co.uk had to go thorugh the tunnel and out of the corporate firewall so the request came from a specific ip address for example. This is not the case for you but the same principle applies.

Running Get-DAClientDNSConfiguration show the DA Server Config.

Running this command would allow test.misco.co.uk through the DA Tunnel and not direct

Set-DAClientDNSConfiguration – DNSSuffix ‘test.misco.co.uk’

If you wanted to use a Proxy Server add –ProxyServer 'Proxy:8080' to the end

Reference link that may help you - http://technet.microsoft.com/en-us/library/hh918389.aspx

Although as mentioned before doing so make sure the DA Server can resolve the fqdn you need

Kr

John Davies

Thursday, October 2, 2014 3:07 PM
0

Sign in to vote

Hi, Why note considering the remote management only option of DirectAccess. If you add your URL to the infrastructure tunnel allowed list (Step 3 if I remember well). In this mode there is a single tunnel, the infrastructure tunnel. If you add your URL to the list, users will be allowed to access your ressource, and only this ressource.
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

Sunday, October 5, 2014 2:36 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

DirectAccess for 1 single FQDN

Question

Answers

All replies